This website uses cookies to give you the best user experience, for analytics, and improvement of functionalities of this website and third party sites. You can learn more about our use of cookies and similar technologies and your choices by reviewing our Cookies Policy. By clicking "I agree" you agree to our use of cookies and similar technologies.

The Netherlands is the sixth largest economy in the European Union and a global financial center. Due to its business-friendly climate and favorable tax regime, the Netherlands is an attractive location for corporate headquarters and for structuring international transactions.

In a recent case between the owner of a plot with a number of business premises, and the local residents, the Dutch Data Protection Authority (the DDPA) ruled that the owner is allowed to protect its property with camera surveillance.

After years of discussions, the General Data Protection Regulation (the GDPR), has finally been adopted and is due to come into effect 25 May 2018. The GDPR will replace the current Data Protection Directive and will be directly applicable in all EU member states.

Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 175 locations serving 78 countries.

Introduction

Following up on our previous updates with respect to the rights of the data subjects, in this seventh newsletter we discuss the remaining rights of the data subjects: erasure, restriction, object and automated individual decision-making.

Right to erasure

The right to erasure is also known as ‘the right to be forgotten’. The right to erasure does not provide an absolute right to have data erased. Under the GDPR, data subjects have the right to have their data erased in the following situations:

the personal data is no longer necessary in relation to the purpose for which it was originally collected;

the processing is based on consent and this consent is withdrawn (and there is no other legal ground for the processing);

the data subject objects to the processing and there are no overriding legitimate grounds for the processing;

the personal data was unlawfully collected;

the personal data has to be erased in order to comply with a legal obligation; and

the personal data is processed in relation to the offer of information society services to a child (in particular where the child consented as a child, whilst not being fully aware of processing risks, erasure in particular of the internet).

The Dutch Data Protection Act (the DDPA) currently provides for a right of erasure. However, under the DDPA the right to erasure only applies if the personal data are incorrect, incomplete or irrelevant. Under the GDPR, the right to erasure exists if one or more of the limitative grounds above apply.

If the data controller has made the personal data public, and is obliged to erase the personal data, the controller must take reasonable steps (including technical measures) to inform other controllers that the data subject has requested for erasure of his or her personal data. This obligation is potentially far-reaching as the personal data is then public domain data.

Several exemptions to the obligation to erase personal data apply. This is the case when the processing is necessary for:

the exercise of the right of freedom of expression and information;

compliance with an EU or Member State legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

reasons of public interest in the area of public health;

archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of such processing; or

the establishment, exercise or defence of legal claims (in particular for evidence purposes).

Right to restriction

Under the GDPR, the data subject has the right to obtain (temporary) restriction of the processing of its personal data in the following situations:

the data subject is contesting the accuracy of the personal data that is being processed, for the period enabling the controller to verify the accuracy of the personal data;

the processing is unlawful and the data subject opposes the erasure of his or her personal data and requests for restriction instead;

the data controller no longer needs the personal data for the purposes of processing, but the personal data is required by the data subject for the establishment, exercise or defence of legal claims; or

the data subject has objected to the processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

In the period of restriction, the ‘marked’ personal data may only be stored by the controller. Other processing activities regarding the ‘marked’ data are not allowed.
If personal data is ‘restricted’ the controller may however further process the data with the data subject’s consent, or if the processing is necessary for the establishment, exercise or defence of legal claims, for the protection of third parties or for reasons of important public interest of the relevant member state and/or the EU.

The restriction of the processing must be clearly indicated in the controller’s systems. Methods that can be used to restrict the processing of personal data within the controller’s organisation include temporarily removing or blocking published data from a website, or a temporary transfer of the ‘marked’ personal data to another processing system, making the ‘marked’ personal data unavailable. The restriction of processing should in principle be ensured by technical means and should be logged in the controller’s IT systems in such a manner that the personal data is not subject to further processing operations and cannot be changed.

Before lifting any processing restriction, the controller must inform the data subject.

Right to object

Under the GDPR, the data subject has the right to object to the processing of his or her personal data in the following three situations:

if the processing is based on the justification ‘necessary for a public interest’ or ‘necessary for the purposes of the legitimate interests pursued by the controller’;

if personal data is processed for direct marketing purposes; and

if personal data is processed for scientific, historical research or statistical purposes.

(i) Processing is based on the justification ‘necessary for a public interest’ or ‘necessary for the purposes of the legitimate interests pursued by the controller’

With respect to the situation described under (i) the controller must cease the processing of personal data in case the data subject objects to the processing, unless it can demonstrate that it has compelling legitimate grounds for the processing, which override the interests of the data subject or for the establishment, exercise or defence of legal claims.

This is a change compared to the current situation. Under the DDPA the data subject must show compelling legitimate grounds relating to his particular situation to object to the processing of his or her personal data. Under the GDPR this is no longer required: if a data subject objects, the controller must demonstrate why it should nonetheless be able to process the personal data.

(ii) Personal data is processed for direct marketing purposes

The right to object described under (ii) is absolute: if a data subject objects, the controller must cease the processing of that data subject’s personal data for direct marketing purposes (including profiling to the extent that it is related to the direct marketing purposes).

The GDPR places emphasis on the fact that the right to object to processing for direct marketing purposes should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information (e.g. cannot be ‘hidden’ in the applicable general terms and conditions). It should be presented to the data subject ultimately at the time the first contact with the data subject.

(iii) Personal data is processed for scientific, historical research or statistical purposes

With respect to the situation described under (iii), the data subject only has the right to object if there are grounds relating to the data subject’s particular situation. Further, there is an exception if the processing is necessary for the performance of a task carried out for reasons of public interest.

Automated individual decision-making

Under the GDPR, data subjects have the right not to be subject to decisions bases solely on automated processing (including profiling), if the decision produces legal effects concerning the data subject or similarly significantly affects the data subject. Examples of such decisions are the refusal of an online credit application, e-recruiting or e-evaluation of performance without any human intervention.

According to the draft Dutch explanatory memorandum to the draft Dutch implementation act this provision entails a prohibition to subject a data subject to a decision that is based solely on an automated processing activity. This provision does not prohibit profiling or the use of automated processing activities, but - if used to take decision in respect of a data subject - these should be paired with human intervention.

Automated decision-making is allowed where expressly authorised by EU or Member State law (including for fraud and tax-evasion monitoring), necessary for the entering or performance of a contract between the controller and the data subject or if the data subject has given his or her explicit consent. The Dutch legislator intends to authorise automated processing (other than profiling) where needed for a controller to meet a legal obligation, or when carrying out a task in the public interests. An example for this category are the automated decision on governmental allowances, such a child allowances (kinderbijslag) and study allowances (studiefinanciering).

Any processing covered by this provision should be subject to suitable safeguards, which include specific information to the data subject, and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.

Automated decision-making based on sensitive data is further restricted and may only take place with explicit consent or where the processing is necessary for substantial public interest reasons and on the basis of EU or Member State law.

Practical recommendations and conclusion

Organisations should review their privacy notices and policies to ensure that data subjects are adequately informed on their right to object, erasure and restriction. Organisations should also determine if their systems are able to meet the requirements to ‘mark’ personal data as restricted while complaints are resolved. Further, organisations should verify if and to what extent they use automated decision-making and identify if one of the limited justifications applies. Actions may be of a technical nature and could therefore require involvement of the IT department and changes to existing IT systems. If automated decision-making takes place, internal procedures should be evaluated and where necessary updated.

Leaving Site

Disclaimer

Unsolicited emails and other information sent to Dentons will not be considered confidential, may be disclosed to others, may not receive a response, and do not create a lawyer-client relationship. If you are not already a client of Dentons, please do not send us any confidential information.